IT FORENSICS 5 - ACTION ON SCENE

Preserving Evidence is the first priority, therefore there are steps to be taken which may prove vital later on

Something not to be forgotten is that those first on a scene should take steps to ensure the safety of all persons and of course to ensure the integrity of evidence. All activities should adhere to your company's organisational policy and the law. Ideally, of course, a locus will be left alone until qualified personnel are available. If you can, visually identify potential evidence whether physical or electronic and evaluate whether any is fragile

Tel: 020 7158 0332

Monitor is on/Desktop visible

Photograph screen and note info displayed

Remove the power cable from the computer (not from the wall)

If a laptop, remove the battery

Record make, model and serial number and any other evidence

Monitor is on/ screen blank

Move the mouse - if the screen changes photograph screen and note info displayed

Remove the power cable from the computer (not from the wall)

If a laptop, remove the battery

Record make, model and serial number and any other evidence

Monitor is off

Make a note of monitor being off and turn on - be careful not to leave fingerprints

Photograph screen and note info displayed

Remove the power cable from the computer (not from the wall)

If a laptop, remove the battery

Record make, model and serial number and any other evidence

Email Investigator

Call our Head Office on 01483 200999 Our first action will be to arrange collection of the machine to enable us to make a first generation copy and initiate documentation procedures. It may be possible to clone the machine on-site, however this is more easily done overnight, with the machine returned to you next day. We can, if appropriate, also arrange for relevant examiners (e.g. fingerprinting) to be on-site at first opportunity

Computer forensics is a generic name describing forensic analysis and reporting of computer or IT media. As well as the hard drive(s) this may include USB drives, MP3/4's, external drives etc. While most cases involve Windows Operating Systems we can also apply the same principles to Mac OS and Linux. Never make the error of believing that when you hit the delete key the information is gone - there is a high possibility deleted data may be recovered in it's entirety

We apply Computer forensics in investigation for many reasons including:

Misuse of company information by employee or ex-employee

Internal theft or fraud

Analysis of email and deleted files

Pornography and/or illegal downloads

Data Recovery

Paedophilia

Substance Abuse / dealing

Internet Misuse

Theft of Intellectual Property (e.g. databases)

Click for next page

Corporate Investigation

The Daily Telegraph report on an employment tribunal case involving cimputer forensic evidence

Undeniable mathematical evidence from interrogation of a corporate laptop or terminal

Litigious evidence gained from computer forensic work for Solicitors firms

Reconstruction of deleted computer files as an evidence base

Retaining evidence form of a suspect machine prior to the machine's analysis

Forensic Analysis and recovery from MSmart Phones, memory and SIM cards

How to maintain the machine so that evidence remains intact before cloning of the hard drive

Preserving Evidence - keeping the suspect machine in a state prpearatory for examination